Home

CVE-2020-8287

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
11.054

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 12 (x64) (12.20.1)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 12 (12.20.1)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 14 (x64) (14.15.4)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 14 (14.15.4)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 10 (x64) (10.23.1)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 10 (10.23.1)Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 15.5.1Windows
Vulnerabilities CVE-2020-8265,CVE-2020-8287,CVE-2020-1971 are fixed in Node.js 10 (x64) (10.24.1)Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0Windows
nodejs security update(DSA-4826-1) nodejs_10.23.1~dfsg-1~deb10u1_i386.debLinux
nodejs security update(DSA-4826-1) nodejs_10.23.1~dfsg-1~deb10u1_amd64.debLinux
(RHSA-2021:0549) nodejs:12 security update nodejs-nodemon-2.0.3-1.module+el8.3.0+9715+1718613f.noarch.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-debugsource-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-devel-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-docs-14.15.4-2.module+el8.3.0+9635+ffdf8381.noarch.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-full-i18n-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-nodemon-2.0.3-1.module+el8.3.0+6519+9f98ed83.noarch.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpmLinux
(RHSA-2021:0551) nodejs:14 security and bug fix update npm-6.14.10-1.14.15.4.2.module+el8.3.0+9635+ffdf8381.x86_64.rpmLinux
parser for HTTP messages: development libraries and header files (USN-5563-1) libhttp-parser2.7.1_2.7.1-2ubuntu0.1_i386.debLinux
parser for HTTP messages: development libraries and header files (USN-5563-1) libhttp-parser2.7.1_2.7.1-2ubuntu0.1_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_10.19.0~dfsg-3ubuntu1.1_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_4.2.6~dfsg-1ubuntu4.2_i386.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_4.2.6~dfsg-1ubuntu4.2_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_8.10.0~dfsg-2ubuntu0.4_i386.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_8.10.0~dfsg-2ubuntu0.4_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) libnode64_10.19.0~dfsg-3ubuntu1.1_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_4.2.6~dfsg-1ubuntu4.2_i386.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_4.2.6~dfsg-1ubuntu4.2_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_8.10.0~dfsg-2ubuntu0.4_i386.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_8.10.0~dfsg-2ubuntu0.4_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) libnode-dev_10.19.0~dfsg-3ubuntu1.1_amd64.debLinux
An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-legacy_4.2.6~dfsg-1ubuntu4.2_all.debLinux
(RHSA-2021:0548)Moderate: security update nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-debuginfo-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-debugsource-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-devel-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-docs-10.23.1-1.module+el8.3.0+9502+012d8a97.noarch.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-full-i18n-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpmLinux
(RHSA-2021:0548)Moderate: security update nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpmLinux
(RHSA-2021:0548)Moderate: security update npm-6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-317847Node.js 14 (x64) (14.15.4)
PATCH-317845Node.js 14 (14.15.4)
PATCH-319043Node.js 10 (x64) (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319043Node.js 10 (x64) (10.24.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234